Major privacy flaw found in Dolphin HD browser for Android

Dolphin HD, a popular third-party Web browser for Android, relays every URL …

Dolphin HD has long been our favorite third-party Web browser for Android. Its excellent tabbed user interface, add-on system, and gesture support have made it a popular choice among Android enthusiasts. But recent versions of the browser have introduced a startling privacy flaw.

Discussions in the XDA forums and a report published on the Android Police blog yesterday revealed that every URL loaded in Dolphin HD is relayed as plain text to a remote server. The article includes screenshots from a packet sniffer that clearly demonstrate the issue—it’s an unambiguous breach of privacy.

In response to the resulting controversy, the company behind Dolphin issued a statement explaining the situation. Recent versions of Dolphin introduced a feature called Webzine that offers a specialized presentation of websites. When a user visits a website, the URL is relayed to Dolphin’s servers which determine whether the Webzine view is supported for the specified destination. The company contends that the data is not collected or retained. It subsequently issued an update to disable the feature and said that it will be made opt-in in future versions.

As a frequent user of Dolphin HD, I was disappointed by this privacy blunder. In addition to failing to inform users of this dubious practice up front, Dolphin’s developers also made poor implementation decisions that exacerbated the privacy risk. It’s fortunate that the Android enthusiast community detected this behavior.

I don't feel the practice was dubious at all. The goal was to simply render a better view for your site if said view existed. It was an effort to achieve better user friendliness. The privacy "blunder" is clearly nothing more than an oversight.

Removing the feature then reimplementing it in terms of an opt-in prompt (similar to when you enable GPS services) should be enough to settle the issue.

Does Dolphin Mini have this same feature? That's what I typically use.

I guess I feel the same as Mapex - this doesn't seem THAT bad (assuming they don't collect your URLs). Practice sounds similar to other features like Kindle Fire. Opting in to turn on the feature should be an option though.

The XDA developer that discovered this breach initially reported this to the Dolphin devs on their forum. His posts at the Dolphin fourms were repeatedly removed by the Dolphin moderators. Dolphin did not respond to this until it hit the news sites.

Further, the Dolphin developer's explanation doesn't pass the smell test. They claim they needed every single URL - (including SSL and query strings? Really?) in order to compare them with a tiny list of site (less than 300) that support their WebZine feature. Really?

Wouldn't it have been FAR better to hash that tiny list of sites into a file and make that file available to Dolphin users, rather than send every single URL back home? Why the query strings? Why the SSL?

I think we now know the reason Dolphin is free - not even ad supported. The developers are probably making a nice income on the search metrics from their users.

(The latest that that the XDA developer that discovered this breach says that even after the Dolphin devs pushed out an update claiming stop this practice, the browser is still phoning home with every URL.)

And it continues... More malware for Android. So how long before endusers start needing malware protection running on their phones. Imagine how sluggish the UIs are going to be with constant malware protection running.

Their explanation sounds bogus. They currently have 300 participating webzine sites. How is that not something that their app can track in a local database on the phone. The software could easily check to see if a site you visit was a webzine site without transmitting any URLs to their server. What they did was lazy and/or unethical.

For the love of god, you can't intercept a digital connection between the phone and the cell tower without having the phones encryption keys, it doesn't matter if EVERYTHING was sent in plain text. Todays cell phone isn't an analog signal that you can just dial up a single frequency and lock onto it. Data constantly changes the frequency its transmitting and receiving, just the same as a voice call. The only thing that knows what bits belong to any one cell phone is the cell providers switch which controls EVERYTHING and is heavily fire walled. Even to service a cellphone or cellular equipment requires very expensive equipment and then setting the hardware into service mode, either the phone or cell site equipment, and then all the configuration you can do is RSSI and SQE adjustments on the test channel. Theres a reason your not seeing cloned phones anymore these days, analog is dead and long gone, any traffic is nothing more than noise to anyone ever trying to listen, and it will be many different phones information at the same time, none of which is decipherable since you don't know where the stop or start bits are, what DS0 is being used that millisecond on the T1 or T3 at the site, there is no constant data stream that sits still.

Does the Dolphin HD version I got from the App Store and sometimes use on my iPad engage in the same tattling behaviour? If so, how did that get past the Apple evaluators? If not, why did the developers feel they needed it in the Android version?

I don't feel the practice was dubious at all. The goal was to simply render a better view for your site if said view existed. It was an effort to achieve better user friendliness. The privacy "blunder" is clearly nothing more than an oversight.

For the love of god, you can't intercept a digital connection between the phone and the cell tower without having the phones encryption keys, it doesn't matter if EVERYTHING was sent in plain text. Todays cell phone isn't an analog signal that you can just dial up a single frequency and lock onto it. Data constantly changes the frequency its transmitting and receiving, just the same as a voice call. The only thing that knows what bits belong to any one cell phone is the cell providers switch which controls EVERYTHING and is heavily fire walled. Even to service a cellphone or cellular equipment requires very expensive equipment and then setting the hardware into service mode, either the phone or cell site equipment, and then all the configuration you can do is RSSI and SQE adjustments on the test channel. Theres a reason your not seeing cloned phones anymore these days, analog is dead and long gone, any traffic is nothing more than noise to anyone ever trying to listen, and it will be many different phones information at the same time, none of which is decipherable since you don't know where the stop or start bits are, what DS0 is being used that millisecond on the T1 or T3 at the site, there is no constant data stream that sits still.

I think you missed the point. It's not that the URL is rendered in plain text and that some third-party could intercept it, it's that the data - every URL you enter or visit - is being sent back to Dolphin. They see every URL that any of their users is looking at. Without notifying the users that this is being done.

And from the sounds of things, not really being very up-front about the fact that they were doing it (and apparently still are, despite promises to the contrary).

And it continues... More malware for Android. So how long before endusers start needing malware protection running on their phones. Imagine how sluggish the UIs are going to be with constant malware protection running.

A bit sensationalist much?

At best it's an oversight for a stupid feature. At worst it's data that isn't of much value even if it is intentional.

It's really not getting worked up over, but you're probably the type of person who disables all web analytics because I'm sure in your mind that sites care about what you as an individual are doing.

It's recording and reporting back ALL sites visited, including SSL and query strings. It's a big freaking deal.

Shudder wrote:

At best it's an oversight for a stupid feature. At worst it's data that isn't of much value even if it is intentional.

The data is not of much value?

You clearly don't know the value of site metrics. We are talking about complete logs of every single user / browser interaction for what is perhaps the largest third-party browser on both Android and iOS.

There are organizations that pay a great deal of money for that type of data. Given Dolphin's negligent response to this issue, I have to suspect this is exactly what Dolphin was up to.

Shudder wrote:

It's really not getting worked up over, but you're probably the type of person who disables all web analytics because I'm sure in your mind that sites care about what you as an individual are doing.

If it's nothing to get worked up about, why did the Dolphin devs lie about he reasons they were doing it?

Their explanation doesn't begin to pass the smell test. If they were really only matching sites to a tiny, sub-300 site list, they could far more easily have uploaded the list to the user, instead of the other way around. Further, their explanation provides absolutely no rationale for the logging and sending of query strings and SSL data.

What they've done is very likely a violation of law in some of the regions in which they distribute their app.

So what does Lookout *do* as far as malware detection? Should this traffic have been flagged, or do I need to run something else (or PAY for Lookout) to watch my back?...

The bad part is that neither Lookout nor any other anti-malware software would have detected this behavior.

Anti-malware software on Android is almost completely worthless, as the moment Lookout or any other software identifies an app as malware, Google removes it from the market (and in some cases, removes it from user machines).

A good firewall could probably keep non-browser apps from phoning home, but a browser's job is internet connectivity. It would be very difficult to stop a purposefully deceitful browser from reporting home. A browser vendor simply has to be trusted. Dolphin has broken the trust.

"Update: It’s come to our attention that the hot fix update we pushed out last night on Android Market (7.0.1) did not fix the issue. It has now been resolved and is live on the Android Market as Dolphin Browser HD v7.0.2. Again, user privacy is a huge priority for us and we thank you for your patience while this has been resolved."

I was going to give the Dolphin HD developers the benefit of the doubt using 7.0.2, but decided to give a low rating on android market to warn them that this was not an acceptable practice. Then about 5 minutes later i checked the market and saw it was SWAMPED with 5 star reviews of 2 words in length. in 5 minutes my review had been buried! I cant imagine that many people reviewed even a bigtime app like Dolphin HD in 5 minutes, and can only conclude that they're trying to quash worrying info with fake reviews. This kind of review gaming is just the lowest form of business. well, suffice it to say I just removed Dolphin and will go out of my way to avoid it in the future. I hate business like that. sure, anyone can make a mistake, but take your drubs and dont try to bury the truth, you just lost yourselves a paying customer.

I always thought that web zine thing that's been updating lately is complete garbage anyways, I don't want something needlessly complicating the already delicate act of surfing the web on a mobile phone. Now this ...Dolphin HD was my go to browser as well.

The update notes on the Marketplace doesn't say anything about this either, just some other irrelevant stuff though sure this reason was the main point in getting this current "update" out. Very shady and spineless, not impressed.

Edit:

It's even worse then this article talks about, from the original post bring it up:

Ever since the 'webzine' 'feature' came out (in version 6), this app forwards the URL of:Every link you click.Every search you enter.Every page you load.

This includes:SSL URLs.QUERY_STRINGS.IP addresses on private networks and file:// urls.

*Also* you will see that when he brought it to their attention on their official forums the comment was in limbo for moderation for 2 days the finally *deleted*. They tried to hide this and sweep it under the rug ...and whats the first thing they say in their blog?

"At Dolphin, privacy and user safety has always been (and will continue to be) our top priority."

Their explanation sounds bogus.If they really didn't realize that this would be a major privacy breach, their dev team needs to be summarily fired for incompetence.Where are they living, in 1995?On their blog, they thanked somebody for the suggestion to use a hash... That's pretty much first quarter CS curriculum... Geez.

Overall, I'm not upset by this and will continue to use Dolphin. But it is disappointing to see that these kind of security issues are still intentionally put into apps and software.

"these kind of security issues are still intentionally put into apps and software" because of your first statement. If people don't get pissed off about it and tell the developers that you're going elsewhere, they have no incentive to change.

Don't just roll over and take it. Ditch Dolphin and use something else.

When I posted that, it was accurate. At that time, Dolphin claimed they had fixed the issue - they had not!

tigerhawkvok wrote:

Also, reread the end of the Dolphin blog post:

"Update: It’s come to our attention that the hot fix update we pushed out last night on Android Market (7.0.1) did not fix the issue. It has now been resolved and is live on the Android Market as Dolphin Browser HD v7.0.2. Again, user privacy is a huge priority for us and we thank you for your patience while this has been resolved."

This is simply where they admit (kinda) that their earlier claims of having fixed the issue were not true. Notice that they don't really say or admit what they did wrong.

Now with this 2nd update in a day - it seems that they've apparently - finally - stopped sending data home, but who knows what the next Dolphin update will bring. I'm not going to run wireshark every time a new Dolphin update comes out.

Further, their explanation does not begin to pass the smell test. Their release notes for this update don't even mention the reason it is being updated.

This is not the way an innocent mistake is handled. This is the way a company acts when they've been busted. They know they've been caught red handed, they're still not admitting what they've done, I don't trust them not to do it again. I expect the lesson they've taken from this is not that they've done wrong, but that next time, send back user data encrypted.

Dolphin have lost any benefit of the doubt, and with it, any trust of I have of their products. There are a lot of browser vendors out there, I'm simply choosing another - likely Opera.

And it continues... More malware for Android. So how long before endusers start needing malware protection running on their phones. Imagine how sluggish the UIs are going to be with constant malware protection running.

True or false: Apple is being irresponsible by allowing users to run any software of their choice on Mac OS X.